|Publication number||US6754716 B1|
|Application number||US 09/502,155|
|Publication date||Jun 22, 2004|
|Filing date||Feb 11, 2000|
|Priority date||Feb 11, 2000|
|Publication number||09502155, 502155, US 6754716 B1, US 6754716B1, US-B1-6754716, US6754716 B1, US6754716B1|
|Inventors||Rosen Sharma, Srinivasan Keshav|
|Original Assignee||Ensim Corporation|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (111), Non-Patent Citations (56), Referenced by (91), Classifications (13), Legal Events (6)|
|External Links: USPTO, USPTO Assignment, Espacenet|
1. Field of Invention
The present invention relates generally to managing communications on a computer network, and more particularly, to restricting communication between selected network devices.
2. Background of the Invention
Computer networks allow many network devices to communicate with each other and to share resources. In order to transmit a packet of data from one network device to another on a local area network (LAN), the sending device must have the local area address of the destination device, and in particular, must have a Layer 2 (L2) or media access control (MAC) address that uniquely specifies the individual hardware device that is to receive the packet. In an Ethernet LAN, each network device has a network interface card,which has a unique Ethernet address. In an FDDI LAN, each device likewise will have a unique MAC address.
Typically, all of the devices on a LAN are allowed to communicate with each other, and thus, there are provided various mechanisms by which devices learn the L2 addresses of other devices in order to transmit packets to them. In an Ethernet network, the Address Resolution Protocol (ARP) defined in RFC 826 is used to convert protocol addresses, such as IP addresses, to L2 addresses, such as Ethernet addresses. In this protocol, a first network device broadcasts a request that includes the IP address that it wants to transmit a packet to (the destination IP address), and its own IP and Ethernet addresses. Since the request is broadcast all devices on the network receive it. However, only the second network device that has the requested destination IP address responds by sending back its Ethernet address. The first network device can now transmit packets directly to the second network device.
This type of address discovery is acceptable on networks where it is desirable for all devices to communicate with each other. However, it may be desirable to provide a computer network in which devices are restricted from communicating with each other generally. For example, an Internet Server Provider (ISP) may wish to support computers from many different customers on the same network. In order to ensure the privacy and integrity of each customer's data and applications, it is desirable to prevent the customers' computers from communicating with each other, for example to prevent malicious tampering with data. This has been done conventionally by isolating each customer's computers and devices to its own subnet. However, this approach is expensive and complex to manage because isolating a subnet from others requires special-purpose hardware (such as a bridge), special-purpose software (such as that in a router) or both. In some instances, the necessary isolation may be impossible, for example, where the ISP provides virtual servers (multiple different servers for different customers) on a single host computer.
Thus, in those instances where it is desirable to have multiple customers sharing a subnet, it is further desirable to prevent their respective devices from communicating with each other.
The present invention makes it possible to restrict communications between network devices on a common subnet. In particular, any network device can be restricted to communicating only with a predefined set of authorized or validated network devices.
In one aspect of the present invention, network devices are restricted from providing their network addresses to other than previously authorized devices. For example, a network device may not respond to ARP requests that seek to know its L2 address, unless the requesting device itself has a validated network address, which indicates that it is authorized to request L2 addresses of other devices. Because a network device is prohibited from revealing its L2 address to unauthorized devices, these unauthorized devices will not be able to send packets to the network device. In another aspect of the present invention, network devices are prevented from discovering the L2 network addresses of other devices, unless authorized to do so. Because an unauthorized device cannot discover the network addresses of other devices, it cannot communicate with them.
In one embodiment, a subnet of a computer network includes a number of network devices, such as computers, printers, routers, bridges, and so forth. Each device has a unique L2 address (e.g., an Ethernet address), and an assigned IP address. Only certain devices on the network are authorized to determine, via an address resolution protocol such as ARP, the L2 addresses of other network devices. These authorized devices are preferably routers that are attached to the subnet; however, other network devices may also be authorized, for example, a computer operated by a system administrator. A list of the IP addresses of these authorized devices is stored in each of the network devices, preferably in a privileged area, such as in the operating system kernel. The authorized IP address list is preferably loaded by each network device upon start up. The authorized IP address list may be updated periodically by a system administrator to reflect newly authorized devices, or to remove previously authorized devices.
According to the first aspect of the invention, when a first network device seeks to communicate with a second network device, the first network device broadcasts an ARP request, including its own IP and L2 addresses, and the IP address of the second network device. The second network device receives this request packet. However, instead of responding as described in ARP, it compares the IP address of the first network device to the list of authorized IP addresses. If the IP address of the first network device is not on the list, then the second network device does not reply to the request packet, but instead remains “silent.”
This prevents the first network device from discovering the L2 address of the second network device, and thereby directing any packets to it. If the IP address of the first network device is on the list of authorized IP addresses, then the second network device replies in the normal fashion with its L2 address.
In accordance with the ARP, the second network device maintains a translation table that maps L2 addresses to IP addresses and protocol types. Conventionally, whenever a network device receives an ARP request, is updates this translation table to include the L2 address and IP address of the requesting device. However in a preferred embodiment, the second network device does not automatically update the translation table, but rather only if the first network device is authorized to request L2 addresses. This feature is further desirable to prevent IP spoofing attacks on the second network device.
As a further enhancement according to the second aspect of the invention, before a first network device sends an ARP request, it compares it own IP address with the list of authorized IP addresses. If its own IP address is not on the list, then it does not send request packet. This feature further prevents the network device from discovering the network addresses of other devices.
These features of the present invention may be embodied in various forms. In one implementation, each network device includes a memory storing a TCP/IP protocol stack. The protocol stack is responsible for moving packets from one layer of the network to another. The protocol stack includes an ARP component that implements the ARP (called the address resolution module in RFC 862). In one embodiment, this ARP component is modified to compare the IP address of a requesting network device to a list of authorized IP addresses before replying with its own L2 address. If the IP address is not authorized, then the ARP component does not respond. Preferably, the ARP component also does not update its translation table if the IP address is not authorized. The ARP component may be further modified to test the IP address of the network device itself before transmitting an ARP request on behalf of the network device in which it is included.
Yet another embodiment of the present invention is a computer subnet administered by an ISP. Various computers are coupled to the subnet, each of which may be dedicated to one customer or to multiple customers (e.g., where multiple customers have their own private servers including distinct L2 addresses). The ARP of each computer/server is modified as just described to restrict responses to ARP requests to only those requests coming from authorized network devices. The ARP component may be further modified to prevent ARP requests from being generated on any other but authorized devices.
These and other features and attributes of the present invention are now described in more detail with reference to the following figures.
FIG. 1 is a network diagram in accordance with the present invention.
FIG. 2 is a simplified illustration of a typical packet.
FIG. 3 is a flowgraph of the operation of one embodiment of the present invention.
FIG. 4 is a sequence diagram of the functional operation of two network devices in accordance with the present invention.
FIG. 5 is a flowchart of the packet generation function of an Address Resolution Protocol (ARP) component.
FIG. 6 is a flowchart of the packet reception function of an ARP component.
Referring now to FIG. 1, there is shown a simplified network diagram of a computer network that may be used in conjunction with the present invention. The network 100 includes various LAN subnets 104, coupled together over a communication medium 100, such as an Ethernet network, FDDI, or the like. Each subnet 104 includes a number of host computers 106, and one or more routers 102, which server to route packets between hosts on the network. In this description, “host”, and “network device” are used interchangeably, and include both physical and virtual devices. In particular, a host may be one of several virtual servers executing on a single physical computer; each virtual server presents to other devices on the network functionality substantially similar to that of a physical host computer or a physical network device. The hosts and routers are both examples of network devices generally; other types of network devices, e.g., printers, bridges, brouters, etc., are not illustrated. The subnets 104 may be coupled, as illustrated to a public communications network 108, such the Internet, through conventional hardware interfaces and communications protocols. The physical implementation of a network such as illustrated is well known to those of skill in the art.
FIG. 2, by way of further background, illustrates a portion of a data packet 200 as may be transmitted over the network 100. A packet 200 includes a layer 2 header 202, including the L2 addresses of the source host 106 and destination host computer (if known), and protocol (L3) header 204. The protocol header 204 includes the protocol addresses of the source and destination hosts, for example, their IP (Internet Protocol) addresses. A data portion 206 contains the data or payload the packet (and itself may contain additional information useful in protocol decoding or routing of the packet.
The host computers 106 are generally conventional having an addressable memory for storing applications and data, and executing such application. Again, a single physical computer may contain multiple virtual servers (each being a host), with the physical memory partitioned between the various virtual servers. FIG. 3 illustrates the memory 300 of a host computer 106 in accordance with the present invention; each host (physical or virtual) shares these characteristics. The memory 300 stores an operating system 302, such as a flavor of UNIXģ, Microsoft Corp.'s WINDOWģ, or the like, for execution by the host's processor. Preferably embedded in the operating system kernel is a protocol stack 305, that includes an address resolution module (ARM) 304 that is modified in accordance with the teachings of the present invention. The protocol stack 305 is preferably TCP/IP but may be implemented using other protocols (e.g., UDP). The ARM 304 is a software product that provides an implementation of the Address Resolution Protocol that is enhanced by the teachings of the present invention, as further described below. The ARM 304 maintains a translation table that maps protocol addresses (e.g. Internet Protocol) to L2 addresses, to allow the host to determine one type of address given another. As with conventional ARMs, ARM is capable of mapping many different protocols to hardware addresses, by storing in the translation table 306 the protocol type associated with each protocol address/hardware address pair. Thus, while the preferred embodiment, as described here, uses IP addresses as an example, the present invention is not limited to working with IP addresses only.
Memory 300 includes a network device driver 310 that communicates with a network interface card (not shown) to transmit and receive packets from the network. The network device driver 310 communicates with the ARM 304 to resolve IP addresses to L2 addresses.
Also stored in the memory 300 is a list 308 of authorized protocol address and L2 address pairs. These are the protocol addresses and L2 addresses of one or more network device that are authorized to discover the L2 addresses of other network devices on the subnet 104. In a preferred embodiment, the protocol addresses are IP addresses, and the L2 addresses are Ethernet addresses, but other types of addresses may be used, depending on the network architecture. The list 308 is maintained, for example, by a network administrator, who updates the list as newly authorized devices are coupled to the subnet 104, or as they are removed therefrom. The list 308 is preferably stored in the operating system kernel, so that only those with a root level password may modify it; alternatively, it may be stored in user accessible portions of the memory 300. Finally, the list 308 need not take any specific implementation, and may be a table, a linked list, a tree, a collection of objects, or the like.
The network devices selected for inclusion on the list 308 of authorized devices may depend on the particular devices that are on the subnet 104. In one embodiment, the list contains only the addresses of the routers 102. This allows the routers 102 to discover which hosts 106 are on the subnet 104 and route packets to them, but does not allow hosts to discover and communicate with each other. The set of authorized devices may include, in addition to routers, other devices that are hosted on behalf of a single customer. This may be other host computers host for the customer, or specialized computing resources such as special-purpose printers or storage devices. In addition, the list 308 may contain the addresses of selected hosts 104, for example hosts used by a network administrator.
The list of authorized addresses is preferably loaded by a host each time the host reboots. This ensures that the list is available for use as soon as it becomes necessary to either receive or respond to a packet. In one preferred embodiment, each host stores the IP address of a router 102 on its subnet. After booting, a host immediately does an ARP for this IP address. This returns to it the L2 address of the router 102. It stores this L2 address in its list 308 of authorized addresses in conjunction with the router's IP address. Storing both the protocol address and the L2 address allows the ARM to thwart attempts at. IP spoofing, that is, network devices that fake the IP addresses of authorized devices in order to obtain access to restricted hosts.
FIG. 4 illustrates a sequence diagram illustrating the functional operation of two host. computers in accordance with the present invention. In FIG. 4, the following notation is used. The two hosts are a source host “S” which is seeking to determine the L2 address of a target host “T”. Each host S and T has a protocol address, designated on the figure as PA(S) and PA(T). They also each have an L2 address, designated L2(S) and L2(T). Each host further executes its own ARM 304, here designated ARM(S) for host S, and ARM(T) for host T.
Host S's network device driver 310 receives 400 a request to transmit a packet to a target computer, e.g., host T, known only by the target's protocol address, PA(T) and the protocol type, for example Internet Protocol. The request may be created by a client application executing, on the host S, for example, or from some other source. The network device driver 310 provides ARM(S) with the protocol type and PA(T) in order for the ARM(S) to determine the correct L2 address corresponding to PA(T).
ARM(S) optionally determines 402 whether host S is authorized to request the L2 addresses of other devices, preferably by comparing PA(S), which it knows, with the list 308 of authorized protocol addresses. If host S is not authorized, and thus PA(S) is not an authorized protocol address included in this list, ARM(S) discards the request, and terminates 406, taking no further action. If PA(S) is included in the list 308, then ARM(S) generates a ARP request packet, including, PA(S), L2(S), and PA(T), and causes this packet to be broadcast 404 to the all network segments that are logically part of the subnet of host S. If the optional comparison 402 is not performed, then ARM(S) simply generates 404 the packet directly.
The request packet is received by all network devices, but discarded by all except host T, since host T recognizes its own PA(T). ARM(T) receives this packet, and determines 408 whether host S is authorized to request L2 addresses. This is done, in one embodiment by comparing PA(S) and L2(S) with the list 308 of authorized addresses: if PA(S) and L2(S) are included in the list 308, then host S is authorized. If not, the ARM(T) discards the packet and does not reply, terminating 410 further processing. This prevent host S from discovering host T's existence on the subnet 104 entirely, and thus prevents host S from communicating (e.g. sending packets) with host T.
If host S's PA(S) and L2(S) form an authorized address pair, then the ARM(T) creates a reply packet to be transmitted 412 to host S according to the provided PA(S) and L2(S). This packet includes host T's L2 and protocol addresses, L2(T) and PA(T). When host S receives the reply packet, ARM(S) updates its translation table 306 to include the pairing of host T's L2 and protocol addresses L2(T) and PA(T). At this point, host S can now transmit packets to host T.
Note that the determination 402 by ARM(S) of the authorization of host S to send ARP requests is entirely optional: it is sufficient to prevent unauthorized discovery of host using just the verification steps by the receiving ARM(T).
FIGS. 5 and 6 illustrate flowcharts of the operation of an ARM 304 modified in accordance with one embodiment the present invention to effect the behaviors illustrated in FIG. 4. FIG. 5 illustrates the packet generation function of an ARM 304 in accordance with the present invention. The ARM receives 500 a request for the resolution of a particular protocol address of a target network device PA(T), and protocol type. For example, if the host is attempting to resolve another host T's IP address, then request would be for PA(T) and the IP protocol type.
The request is naturally being generated by the host computer 106 on which the ARM 304 executes, and thus the ARM knows the protocol address of this source host, say PA(S). The ARM determines 502 whether the host S is authorized to request L2 address, and specifically, whether PA(S) is included in the list 308 of authorized addresses. If the host protocol address is not included, then the request is not further processed 504. In particular, the ARM 304 does not even check its translation table 308 to determine whether the protocol address of host T has been previously mapped to an L2 address.
If the PA(S) is included in the list 308 of authorized addresses, then the ARM checks 506 the translation table to determine whether the PA(T) has been previously mapped to an L2 address for host T. If so, it returns 508 this L2 address, as L2(T).
If PA(T) has not been previously mapped, then the ARM generates 5 10 an ARP Request packet, including <PA(S), L2(S), PA(T)>. It then causes the network device driver 310 to broadcast 512 this ARP request onto the subnet. This packet will be received by host T, and responded to, preferably according to the principles described herein, though in some cases host T need not have an ARP component that operates according to the packet reception functions next described. That is, host T need not validate host S as an authorized network device,
FIG. 6 illustrates the packet reception function of the ARM, as modified in accordance with the present invention. Generally, when a request packet is received by the network device driver 310 of a host device, it provides the packet to the ARM. The ARM receives 602 this packet, and determines 604 whether the PA(S) and the L2(S), the protocol and L2 addresses of the requesting host, form an authorized address pair in the list 308 of authorized addresses. If not, then the ARM discards 612 the packet, and does not further respond. Preferably, the ARM does not update its translation table 306 to include the mapping of the requesting host's protocol address PA(S) to its L2 address L2(S), thereby preventing the receiving host from communicating with the requesting host in the future, which is desired because it has been determined that the requesting host was not authorized.
If the protocol and L2 addresses of the requesting host S form an authorized address pair, when compared 604 to the list 308, then the ARM updates 606 its translation table 308 with L2 address and protocol address (if necessary) and generates 608 a reply packet, including its protocol address PA(T) and its L2 address L2(T), and addressed to the requesting host S at <PA(S), L2(S)>. The ARM causes 610 this packet to be transmitted back to the requesting host. When the host receives the packet, it will update its translation table 308 to include the protocol address PA(T) and L2 address L2(T) of the target host.
In one preferred embodiment, the implementation of this process and the modifications to the ARM specifically restrict network devices to communicating only with the routers 102 on their respective subnets 104. In this embodiment, the list 308 of authorized addresses is initialized to include just the protocol addresses of the router(s), and most preferably their IP addresses. These addresses are loaded when a host device boots up. The host then immediately requests an ARP on these protocol addresses to obtain the L2 address(es) of the router(s). Subsequently, each host 106 will then be able respond to an ARP request if and only if both the protocol and L2 addresses of the requesting network device match the IP address and L2 address of the router. This checking of both protocol address and L2 address prevent protocol spoofing, such as IP spoofing, where unauthorized network devices use the IP addresses of authorized devices in order to obtain information, such as L2 addresses, that is otherwise restricted to authorized device.
In summary then, the present invention provides separately but complementary features by which a host may neither discover another host's L2 address (verification of protocol address prior to ARP request), nor will it reveal its own L2 except to an authorized device (verification of protocol and L2 address prior to ARP reply).
The foregoing describes in details the features and benefits of the present in various embodiments. Those of skill in the art will appreciate that present invention is capable of various other implementations that operate in accordance with the foregoing principles and teachings. For example, the present invention is preferably used with the IP protocol, and Ethernet addresses. However, other protocols may be used. While the list of authorized addresses is a generalized approach, allowing robust general application of the present invention to authorize any type of network device, particular embodiments may utilize a single authorized address pair for a single authorized device, such as a router. This single address pair need not be stored in a list per se, but need only be stored so as to be accessible to each ARM. Storage of such an address pair in each ARM's address space, or in the operating system of each host is possible. Accordingly, this detailed description is not intended to limit the scope of the present invention, which is to be understood by reference the claims below.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US3377624||Jan 7, 1966||Apr 9, 1968||Ibm||Memory protection system|
|US4177510||Dec 2, 1974||Dec 4, 1979||Compagnie Internationale pour l'Informatique, CII Honeywell Bull||Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes|
|US5212793||Sep 4, 1991||May 18, 1993||International Business Machines Corp.||Generic initiators|
|US5226160||Jul 18, 1989||Jul 6, 1993||Visage||Method of and system for interactive video-audio-computer open architecture operation|
|US5249290||Feb 22, 1991||Sep 28, 1993||At&T Bell Laboratories||Method of and apparatus for operating a client/server computer network|
|US5263147||Mar 1, 1991||Nov 16, 1993||Hughes Training, Inc.||System for providing high security for personal computers and workstations|
|US5325530||Jan 29, 1993||Jun 28, 1994||International Business Machines Corporation||Controller for sequential programming tools executed in a parallel computing environment|
|US5437032||Aug 19, 1994||Jul 25, 1995||International Business Machines Corporation||Task scheduler for a miltiprocessor system|
|US5528753||Jun 30, 1994||Jun 18, 1996||International Business Machines Corporation||System and method for enabling stripped object software monitoring in a computer system|
|US5572680||Aug 20, 1993||Nov 5, 1996||Fujitsu Limited||Method and apparatus for processing and transferring data to processor and/or respective virtual processor corresponding to destination logical processor number|
|US5584023||Dec 27, 1993||Dec 10, 1996||Hsu; Mike S. C.||Computer system including a transparent and secure file transform mechanism|
|US5603020||Aug 24, 1994||Feb 11, 1997||Fujitsu Limited||Method for detecting file names by informing the task of the identification of the directory antecedent to the file|
|US5636371||Jun 7, 1995||Jun 3, 1997||Bull Hn Information Systems Inc.||Virtual network mechanism to access well known port application programs running on a single host system|
|US5640595||Jun 29, 1993||Jun 17, 1997||International Business Machines Corporation||Multimedia resource reservation system with graphical interface for manual input of resource reservation value|
|US5692047||Dec 8, 1995||Nov 25, 1997||Sun Microsystems, Inc.||System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources|
|US5706097||Sep 13, 1996||Jan 6, 1998||Eastman Kodak Company||Index print with a digital recording medium containing still images, motion sequences, and sound sequences|
|US5706453||Feb 6, 1995||Jan 6, 1998||Cheng; Yang-Leh||Intelligent real-time graphic-object to database linking-actuator for enabling intuitive on-screen changes and control of system configuration|
|US5708774||Jul 23, 1996||Jan 13, 1998||International Business Machines Corporation||Automated testing of software application interfaces, object methods and commands|
|US5719854||Apr 5, 1996||Feb 17, 1998||Lucent Technologies Inc.||Efficiently providing multiple grades of service with protection against overloads in shared resources|
|US5727203||Mar 31, 1995||Mar 10, 1998||Sun Microsystems, Inc.||Methods and apparatus for managing a database in a distributed object operating environment using persistent and transient cache|
|US5748614||Jun 6, 1996||May 5, 1998||Siemens Aktiengesellschaft||Method for scheduling message cells leaving an ATM node|
|US5752003||Jul 14, 1995||May 12, 1998||3 Com Corporation||Architecture for managing traffic in a virtual LAN environment|
|US5761477||Dec 4, 1995||Jun 2, 1998||Microsoft Corporation||Methods for safe and efficient implementations of virtual machines|
|US5764889 *||Sep 26, 1996||Jun 9, 1998||International Business Machines Corporation||Method and apparatus for creating a security environment for a user task in a client/server system|
|US5781550||Feb 2, 1996||Jul 14, 1998||Digital Equipment Corporation||Transparent and secure network gateway|
|US5799173||May 21, 1997||Aug 25, 1998||International Business Machines Corporation||Dynamic workload balancing|
|US5809527||Dec 23, 1993||Sep 15, 1998||Unisys Corporation||Outboard file cache system|
|US5828893||Aug 21, 1995||Oct 27, 1998||Motorola, Inc.||System and method of communicating between trusted and untrusted computer systems|
|US5838916||Mar 14, 1997||Nov 17, 1998||Domenikos; Steven D.||Systems and methods for executing application programs from a memory device linked to a server|
|US5842002||May 30, 1997||Nov 24, 1998||Quantum Leap Innovations, Inc.||Computer virus trap|
|US5845129||Mar 22, 1996||Dec 1, 1998||Philips Electronics North America Corporation||Protection domains in a single address space|
|US5850399||Mar 27, 1998||Dec 15, 1998||Ascend Communications, Inc.||Hierarchical packet scheduling method and apparatus|
|US5860004||Jul 3, 1996||Jan 12, 1999||Sun Microsystems, Inc.||Code generator for applications in distributed object systems|
|US5864683||Oct 12, 1994||Jan 26, 1999||Secure Computing Corporartion||System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights|
|US5889996||Dec 16, 1996||Mar 30, 1999||Novell Inc.||Accelerator for interpretive environments|
|US5892968||Oct 15, 1996||Apr 6, 1999||Hitachi, Ltd.||Multimedia data transferring method|
|US5905730||Mar 27, 1998||May 18, 1999||Ascend Communications, Inc.||High speed packet scheduling method and apparatus|
|US5905859 *||Jan 9, 1997||May 18, 1999||International Business Machines Corporation||Managed network device security method and apparatus|
|US5913024||Feb 9, 1996||Jun 15, 1999||Secure Computing Corporation||Secure server utilizing separate protocol stacks|
|US5915085||Feb 28, 1997||Jun 22, 1999||International Business Machines Corporation||Multiple resource or security contexts in a multithreaded application|
|US5915095||Aug 8, 1995||Jun 22, 1999||Ncr Corporation||Method and apparatus for balancing processing requests among a plurality of servers based on measurable characteristics off network node and common application|
|US5918018||Feb 9, 1996||Jun 29, 1999||Secure Computing Corporation||System and method for achieving network separation|
|US5920699 *||Nov 7, 1996||Jul 6, 1999||Hewlett-Packard Company||Broadcast isolation and level 3 network switch|
|US5933603||Jun 10, 1996||Aug 3, 1999||Emc Corporation||Video file server maintaining sliding windows of a video data set in random access memories of stream server computers for immediate video-on-demand service beginning at any specified location|
|US5937159||Mar 28, 1997||Aug 10, 1999||Data General Corporation||Secure computer system|
|US5956481||Feb 6, 1997||Sep 21, 1999||Microsoft Corporation||Method and apparatus for protecting data files on a computer from virus infection|
|US5978373 *||Jul 11, 1997||Nov 2, 1999||Ag Communication Systems Corporation||Wide area network system providing secure transmission|
|US5987524 *||Sep 30, 1997||Nov 16, 1999||Fujitsu Limited||Local area network system and router unit|
|US5991812||Mar 6, 1997||Nov 23, 1999||Controlnet, Inc.||Methods and apparatus for fair queuing over a network|
|US5999963||Nov 7, 1997||Dec 7, 1999||Lucent Technologies, Inc.||Move-to-rear list scheduling|
|US6016318||Jul 14, 1997||Jan 18, 2000||Nec Corporation||Virtual private network system over public mobile data network and virtual LAN|
|US6018527||Aug 13, 1996||Jan 25, 2000||Nortel Networks Corporation||Queue service interval based cell scheduler with hierarchical queuing configurations|
|US6023721||May 14, 1997||Feb 8, 2000||Citrix Systems, Inc.||Method and system for allowing a single-user application executing in a multi-user environment to create objects having both user-global and system global visibility|
|US6038608||Nov 25, 1997||Mar 14, 2000||Nec Corporation||Virtual LAN system|
|US6038609||Apr 2, 1998||Mar 14, 2000||Telefonaktiebolaget Lm Ericsson||Method, communication network and service access interface for communications in an open system interconnection environment|
|US6047325||Aug 24, 1998||Apr 4, 2000||Jain; Lalit||Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks|
|US6055617||Aug 29, 1997||Apr 25, 2000||Sequent Computer Systems, Inc.||Virtual address window for accessing physical memory in a computer system|
|US6061349||May 2, 1997||May 9, 2000||Cisco Technology, Inc.||System and method for implementing multiple IP addresses on multiple ports|
|US6065118||Sep 24, 1996||May 16, 2000||Citrix Systems, Inc.||Mobile code isolation cage|
|US6075791||Oct 28, 1997||Jun 13, 2000||Lucent Technologies Inc.||System for guaranteeing data transfer rates and delays in packet networks|
|US6075938||Jun 10, 1998||Jun 13, 2000||The Board Of Trustees Of The Leland Stanford Junior University||Virtual machine monitors for scalable multiprocessors|
|US6078957||Nov 20, 1998||Jun 20, 2000||Network Alchemy, Inc.||Method and apparatus for a TCP/IP load balancing and failover process in an internet protocol (IP) network clustering system|
|US6086623||Jun 30, 1997||Jul 11, 2000||Sun Microsystems, Inc.||Method and implementation for intercepting and processing system calls in programmed digital computer to emulate retrograde operating system|
|US6092178||Sep 3, 1998||Jul 18, 2000||Sun Microsystems, Inc.||System for responding to a resource request|
|US6094674||Jun 29, 1998||Jul 25, 2000||Hitachi, Ltd.||Information processing system and information processing method and quality of service supplying method for use with the system|
|US6101543||Oct 25, 1996||Aug 8, 2000||Digital Equipment Corporation||Pseudo network adapter for frame capture, encapsulation and encryption|
|US6108701||Jul 20, 1998||Aug 22, 2000||Lucent Technologies, Inc.||Soft switch extension for internet protocol applications|
|US6108759||Sep 17, 1997||Aug 22, 2000||Powerquest Corporation||Manipulation of partitions holding advanced file systems|
|US6122673||Jul 22, 1998||Sep 19, 2000||Fore Systems, Inc.||Port scheduler and method for scheduling service providing guarantees, hierarchical rate limiting with/without overbooking capability|
|US6154776||Mar 20, 1998||Nov 28, 2000||Sun Microsystems, Inc.||Quality of service allocation on a network|
|US6154778||May 19, 1998||Nov 28, 2000||Hewlett-Packard Company||Utility-based multi-category quality-of-service negotiation in distributed systems|
|US6167520||Jan 29, 1997||Dec 26, 2000||Finjan Software, Inc.||System and method for protecting a client during runtime from hostile downloadables|
|US6172981 *||Oct 30, 1997||Jan 9, 2001||International Business Machines Corporation||Method and system for distributing network routing functions to local area network stations|
|US6192389||Mar 28, 1997||Feb 20, 2001||International Business Machines Corporation||Method and apparatus for transferring file descriptors in a multiprocess, multithreaded client/server system|
|US6192512||Sep 24, 1998||Feb 20, 2001||International Business Machines Corporation||Interpreter with virtualized interface|
|US6230203||Mar 14, 1997||May 8, 2001||Scientific-Atlanta, Inc.||System and method for providing statistics for flexible billing in a cable environment|
|US6240463||Nov 24, 1998||May 29, 2001||Lucent Technologies Inc.||Router placement methods and apparatus for designing IP networks with performance guarantees|
|US6247057||Oct 22, 1998||Jun 12, 2001||Microsoft Corporation||Network server supporting multiple instance of services to operate concurrently by having endpoint mapping subsystem for mapping virtual network names to virtual endpoint IDs|
|US6269404||Jan 5, 1999||Jul 31, 2001||3Com Corporation||Virtual network architecture for connectionless LAN backbone|
|US6279039||Apr 3, 1996||Aug 21, 2001||Ncr Corporation||Resource management method and apparatus for maximizing multimedia performance of open systems|
|US6279040||Apr 27, 1999||Aug 21, 2001||Industrial Technology Research Institute||Scalable architecture for media-on demand servers|
|US6282581 *||Mar 27, 1997||Aug 28, 2001||Hewlett-Packard Company||Mechanism for resource allocation and for dispatching incoming calls in a distributed object environment|
|US6282703||Oct 29, 1998||Aug 28, 2001||International Business Machines Corporation||Statically linking an application process with a wrapper library|
|US6286047||Sep 10, 1998||Sep 4, 2001||Hewlett-Packard Company||Method and system for automatic discovery of network services|
|US6298479||May 29, 1998||Oct 2, 2001||Sun Microsystems, Inc.||Method and system for compiling and linking source files|
|US6314558||Feb 16, 1999||Nov 6, 2001||Compuware Corporation||Byte code instrumentation|
|US6327622||Sep 3, 1998||Dec 4, 2001||Sun Microsystems, Inc.||Load balancing in a network environment|
|US6336138||Aug 25, 1998||Jan 1, 2002||Hewlett-Packard Company||Template-driven approach for generating models on network services|
|US6351775||May 30, 1997||Feb 26, 2002||International Business Machines Corporation||Loading balancing across servers in a computer network|
|US6353616||Dec 28, 1998||Mar 5, 2002||Lucent Technologies Inc.||Adaptive processor schedulor and method for reservation protocol message processing|
|US6363053||Feb 8, 1999||Mar 26, 2002||3Com Corporation||Method and apparatus for measurement-based conformance testing of service level agreements in networks|
|US6381228||Jan 15, 1999||Apr 30, 2002||Trw Inc.||Onboard control of demand assigned multiple access protocol for satellite ATM networks|
|US6385638||Sep 4, 1997||May 7, 2002||Equator Technologies, Inc.||Processor resource distributor and method|
|US6389448||May 5, 2000||May 14, 2002||Warp Solutions, Inc.||System and method for load balancing|
|US6393484 *||Apr 12, 1999||May 21, 2002||International Business Machines Corp.||System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks|
|US6425003||Jan 22, 1999||Jul 23, 2002||Cisco Technology, Inc.||Method and apparatus for DNS resolution|
|US6430622||Sep 22, 1999||Aug 6, 2002||International Business Machines Corporation||Methods, systems and computer program products for automated movement of IP addresses within a cluster|
|US6434631||Oct 15, 1999||Aug 13, 2002||Lucent Technologies Inc.||Method and system for providing computer storage access with quality of service guarantees|
|US6434742||May 10, 1999||Aug 13, 2002||Lucent Technologies Inc.||Symbol for automatically renaming symbols in files during the compiling of the files|
|US6438134||Aug 24, 1998||Aug 20, 2002||Alcatel Canada Inc.||Two-component bandwidth scheduler having application in multi-class digital communications systems|
|US6457008||Aug 28, 1998||Sep 24, 2002||Oracle Corporation||Pluggable resource scheduling policies|
|US6463459||Jan 22, 1999||Oct 8, 2002||Wall Data Incorporated||System and method for executing commands associated with specific virtual desktop|
|US6470398||Apr 7, 1997||Oct 22, 2002||Compaq Computer Corporation||Method and apparatus for supporting a select () system call and interprocess communication in a fault-tolerant, scalable distributed computer environment|
|US6487578||Sep 29, 1997||Nov 26, 2002||Intel Corporation||Dynamic feedback costing to enable adaptive control of resource utilization|
|US6490670||Apr 24, 1998||Dec 3, 2002||International Business Machines Corporation||Method and apparatus for efficiently allocating objects in object oriented systems|
|US6499137||Nov 20, 1998||Dec 24, 2002||Microsoft Corporation||Reversible load-time dynamic linking|
|US6529950||Jun 17, 1999||Mar 4, 2003||International Business Machines Corporation||Policy-based multivariate application-level QoS negotiation for multimedia services|
|US6542167||Jan 28, 2000||Apr 1, 2003||Wind River Systems, Inc.||System and method for flexible software linking|
|US6553413||Jun 28, 2000||Apr 22, 2003||Massachusetts Institute Of Technology||Content delivery network using edge-of-network servers for providing content delivery to a set of participating content providers|
|US6578068 *||Aug 31, 1999||Jun 10, 2003||Accenture Llp||Load balancer in environment services patterns|
|US6580721 *||Aug 11, 1998||Jun 17, 2003||Nortel Networks Limited||Routing and rate control in a universal transfer mode network|
|1||Aho, A. V. and Ullman J. D., Principles of Complier Design, Reading, MA, 1977, pp. vii-x, 359-362, 519-522.|
|2||Bach, M. J., The Design of the Unix(R) Operating System, New Delhi, Prentice-Hall of India, 1989, pp. v-x, 19-37.|
|3||Bach, M. J., The Design of the Unixģ Operating System, New Delhi, Prentice-Hall of India, 1989, pp. v-x, 19-37.|
|4||Boehm, B., "Managing Software Productivity and Reuse," IEEE Computer, vol. 32, No. 9, Sep. 1999, 3 pages.|
|5||Campbell, A. T. and Keshav, S., "Quality of Service in Distributed Systems," Computer Communications 21, 1998, pp. 291-293.|
|6||Corbato, F. J. et al. "An Experimental Timesharing System," Proceedings of the American Federation Of Information Processing Societies Spring Joint Computer Conference, San Francisco, CA, May 1-3, 1962, pp. 335-344.|
|7||Deutsch, P. and Grant, C.A., "A Flexible Measurement Tool for Software Systems," Information Processing 71 (Proc. of the IFIP Congress), 1971, pp. 320-326.|
|8||Duffield, N.G., et al., "A Flexible Model for Resource Management in Virtual Private Networks," Computer Communication Review Conference, Computer Communication, ACM SIGCOMM '99 Conference Cambridge, MA, Aug. 30, 1999-Sep. 3, 1999. pp. 95-108.|
|9||Edjlali, G., et al., "History-based Access Control for Mobile Code," Fifth ACM Conference on Computer and Communication Security, Nov. 3-5, 1998, 19 pages.|
|10||Egevang, K. and Francis P., RFC 1631, May 1994 [online], [retrived on Feb. 2, 2000]. retrived from the Internet: <URL:http://www.faqs.org/rfcs/rfc1631.html>.|
|11||Erlingsson, U. and Schneider, F. B., "SASI Enforcement of Security Policies: A Retrospective," Proc. New Security Paradigms Workshop, Apr. 2, 1999, pp. 1-17.|
|12||Evans, D. and Twyman, A., "Flexible Policy-Directed Code Safety," Proc. of 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 9-12, 1999, pp. 1-14.|
|13||Fraser, T. et al., "Hardening COTS Software with Generic Software Wrappers," Proc. of 1999 IEEE Symposium on Security and Privacy, 1999, 15 pages.|
|14||Goldberg, I. et al., "A Secure Environment For Untrusted Helper Applications (Confining the Wily Hacker)," Proc. of the Sixth USENIX UNIX Security Symposium, San Jose, CA, Jul. 1996, 14 pages.|
|15||Goldberg, R. P., "Survey of Virtual Machine Research," IEEE Computer, Jun. 1974, pp. 34-45.|
|16||Goyal, P. et al., "Start-time Fair Queuing: A Scheduling Algorithm for Integrated Services Packet Switching Networks," Proceedings of ACM SIGCOMM '96 , San Francisco, CA, Aug. 1996, 14 pages.|
|17||Goyal, P., "Packet Scheduling Algorithms for Integrated Services Networks," PhD Dissertation, University of Texas, Austin, TX, Aug. 1997.|
|18||Goyal, P., et al., "A Hierarchical CPU Scheduler for Multimedia Operating Systems," Proceedings of the Second Symposium on Operating Systems Design and Implementations (OSDI'96), Seattle, WA, Oct. 1996, 15 pages.|
|19||*||Goyal, Pawan et al., Generalized Guaranteed Rate Scheduling Algorithms: A Framework, IEEE/ACM Transactions, vol. 5, Issue: Aug. 4, 1997; pp. 561-571.*|
|20||Huang, X. W. et al., "The ENTRAPID Protocol Development Environment," Proceedings of IEEE Infocom'99, Mar. 1999, nine pages.|
|21||JŠnosi, T., "Notes on ‘A Hierarchical CPU Scheduler for Multimedia Operating Systems’ by Pawan Goyal, Xingang Guo and Harrick Vin," [online], [retrieved on May 8, 2000]. Retrieved from the internet: <URL:http://cs.cornell.edu/Info/Courses/Spring-97/CS614/goy.html>.|
|22||JŠnosi, T., "Notes on 'A Hierarchical CPU Scheduler for Multimedia Operating Systems' by Pawan Goyal, Xingang Guo and Harrick Vin," [online], [retrieved on May 8, 2000]. Retrieved from the internet: <URL:http://cs.cornell.edu/Info/Courses/Spring-97/CS614/goy.html>.|
|23||Jonsson, J., "Exploring the Importance of Preprocessing Operations in Real-Time Multiprocessor Scheduling," Proc. of the IEEE Real-Time Systems, Symposium-Work-in-Progress session, San Francisco, CA, Dec. 4, 1997, pp. 31-34.|
|24||Jonsson, J., "Exploring the Importance of Preprocessing Operations in Real-Time Multiprocessor Scheduling," Proc. of the IEEE Real-Time Systems, Symposium—Work-in-Progress session, San Francisco, CA, Dec. 4, 1997, pp. 31-34.|
|25||Keshav, S., An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Network, Reading, MA, Addison-Wesley, 1997, pp. vii-xi, 85-115, 209-355, 395-444.|
|26||Laurie, B. and Laurie, P., Apache The Definitive Guide, Sebastopol, CA, O'Reilly & Associates, Inc., Feb. 1999, pp. v-viii, 43-74.|
|27||Mallory, T and Kullberg, A., RFC 1141, Jan. 1990 [online], [retrived on Feb. 2, 2000]. retrived from the Internet: <URL:http://www.faqs.org/rfcs/rfc1141.html>.|
|28||McDougall, R., et al., Resource Management, Upper Saddle River, NJ, Prentice Hall, 1999, pp. iii-xix, 135-191.|
|29||Pandey, R. and Hashii, B., "Providing Fine-Grained Access Control For Mobile Programs Through Binary Editing," Technical Report TR98 08, University of California, Davis, CA, 1998, pp. 1-22.|
|30||Pending United States patent application entitled "Disambiguating File Descriptors," serial number 09/500,212, filing date Feb. 8, 2000.|
|31||Pending United States patent application entitled "Dynamic Scheduling of Task Streams in a Multiple-Resource System to Ensure Task Stream Quality of Service," serial number 09/498,450, filing date Feb. 4, 2000.|
|32||Pending United States patent application entitled "Providing Quality of Service Guarantees to Virtual Hosts," serial number 09/452,286, filing date Nov. 30, 1999.|
|33||Pending United States patent application entitled "Selective Interception of System Calls," serial number 09/499,098, filing date Feb. 4, 2000.|
|34||Plummer, D. C., An Ethernet Address Resolution Protocol-or -Converting Network Protocol Addressed to 48.bit Ethernet Address for Transmission on Ethernet Hardware, Nov. 1982, [online], [retrived on Jan. 17, 2000]. Retrived from the Internet: <URL: http://www.msg.net/kadow/answers/extras/rfc/rfc826.txt>.|
|35||Plummer, D. C., An Ethernet Address Resolution Protocol—or —Converting Network Protocol Addressed to 48.bit Ethernet Address for Transmission on Ethernet Hardware, Nov. 1982, [online], [retrived on Jan. 17, 2000]. Retrived from the Internet: <URL: http://www.msg.net/kadow/answers/extras/rfc/rfc826.txt>.|
|36||Rijsinghani, A., RFC 1624, May 1994, [online], [retrived on Feb. 2, 2000]. retrived from the internet: <URL:http://www.faqs.org/rfcs/rfc1624.html>.|
|37||Ritchie, D. M., "The Evolution of the Unix Time-Sharing System," AT&T Bell Laboratories Technical Journal 63, No. 6, Part 2, Oct. 1984, (originally presented 1979), 11 pages.|
|38||Rubini, A., LINUX Device Drivers, Sebastopol, CA, O'Reilly & Associates, Inc., 1998, pp. v-x, 13-40.|
|39||Rusling, D. A., Files, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/~saw.linux/tlk-html/node49.html>.|
|40||Rusling, D. A., Files, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw.linux/tlk-html/node49.html>.|
|41||Rusling, D. A., Identifiers, [online], [Retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/~saw.linux/tlk-html/node46.html>.|
|42||Rusling, D. A., Identifiers, [online], [Retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw.linux/tlk-html/node46.html>.|
|43||Rusling, D. A., Linux Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL:http://www.cebaf.gov/~saw.linux/tlk-html/node45.html>.|
|44||Rusling, D. A., Linux Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL:http://www.cebaf.gov/˜saw.linux/tlk-html/node45.html>.|
|45||Rusling, D. A., Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/~saw.linux/tlk-html/node44.html>.|
|46||Rusling, D. A., Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw.linux/tlk-html/node44.html>.|
|47||Rusling, D. A., Scheduling in Multiprocessor Systems, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL:http://www.cebaf.gov/~saw.linux/tlk-html/node48.html>.|
|48||Rusling, D. A., Scheduling in Multiprocessor Systems, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL:http://www.cebaf.gov/˜saw.linux/tlk-html/node48.html>.|
|49||Rusling, D. A., Scheduling, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/~saw.linux/tlk-html/node47.html>.|
|50||Rusling, D. A., Scheduling, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: <URL: http://www.cebaf.gov/˜saw.linux/tlk-html/node47.html>.|
|51||Saltzer, J., H. anbd Schroeder, M. D., The Protection of Information in Computer Systems, [online], 1973, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: <URL: http://www.cs.virginia.edu~evans/cs551/saltzer/>.|
|52||Saltzer, J., H. anbd Schroeder, M. D., The Protection of Information in Computer Systems, [online], 1973, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: <URL: http://www.cs.virginia.edu˜evans/cs551/saltzer/>.|
|53||Stevens, R. W., UNIX Network Programming Volume 1 Networking APIs: Sockets and XTI, Upper Saddle River, NJ, Prentice Hall, 1998, pp. v-xiv, 29-53, 85-110, 727-760.|
|54||Symbol Table, [online]copyright 1997, 1998, [Retrieved on Apr. 4, 2003] Retrieved from the internet <URL: http://126.96.36.199/search∞q=cache:eASXk8qC-AC:www.caldera.com/developers/gabi/1998-04-29/ch4.s.. ., pp. 1-5.|
|55||Tanenbaum, A. S. and Woodhull, A. S., Operating Systems: Design and Implementation, Upper Saddle River, NJ, Prentice Hall, 1997, pp. vii-xiv, 1-46, 401-454.|
|56||Wahbe, R., et al., "Efficient Software-Based Fault Isolation," Proc. of the Symposium on Operating System Principles, 1993, 14 pages.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US6915351 *||Dec 18, 2000||Jul 5, 2005||Sun Microsystems, Inc.||Community separation control in a closed multi-community node|
|US7007299 *||Aug 30, 2001||Feb 28, 2006||Citibank, N.A.||Method and system for internet hosting and security|
|US7043545||Dec 8, 2004||May 9, 2006||Microsoft Corporation||System and method for restricting data transfers and managing software components of distributed computers|
|US7080143||May 11, 2004||Jul 18, 2006||Microsoft Corporation||System and method providing automatic policy enforcement in a multi-computer service application|
|US7093288||Oct 24, 2000||Aug 15, 2006||Microsoft Corporation||Using packet filters and network virtualization to restrict network communications|
|US7096258||May 12, 2004||Aug 22, 2006||Microsoft Corporation||System and method providing automatic policy enforcement in a multi-computer service application|
|US7134012 *||Aug 15, 2001||Nov 7, 2006||International Business Machines Corporation||Methods, systems and computer program products for detecting a spoofed source address in IP datagrams|
|US7155380||Dec 9, 2004||Dec 26, 2006||Microsoft Corporation||System and method for designing a logical model of a distributed computer system and deploying physical resources according to the logical model|
|US7200655 *||Nov 12, 2004||Apr 3, 2007||Microsoft Corporation||System and method for distributed management of shared computers|
|US7200860 *||Mar 5, 2003||Apr 3, 2007||Dell Products L.P.||Method and system for secure network service|
|US7240136 *||Dec 16, 2004||Jul 3, 2007||International Business Machines Corporation||System and method for request priority transfer across nodes in a multi-tier data processing system network|
|US7243374||Aug 8, 2001||Jul 10, 2007||Microsoft Corporation||Rapid application security threat analysis|
|US7302700 *||Sep 28, 2001||Nov 27, 2007||Juniper Networks, Inc.||Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device|
|US7343421 *||Feb 14, 2000||Mar 11, 2008||Digital Asset Enterprises Llc||Restricting communication of selected processes to a set of specific network addresses|
|US7370103||Nov 12, 2004||May 6, 2008||Hunt Galen C||System and method for distributed management of shared computers|
|US7383327||Oct 11, 2007||Jun 3, 2008||Swsoft Holdings, Ltd.||Management of virtual and physical servers using graphic control panels|
|US7383351 *||Nov 27, 2001||Jun 3, 2008||Cisco Technology, Inc.||Method and apparatus for efficient SPVC destination endpoint address change|
|US7395320||Jun 1, 2005||Jul 1, 2008||Microsoft Corporation||Providing automatic policy enforcement in a multi-computer service application|
|US7406517||Nov 1, 2004||Jul 29, 2008||Microsoft Corporation||System and method for distributed management of shared computers|
|US7460558||Dec 16, 2004||Dec 2, 2008||International Business Machines Corporation||System and method for connection capacity reassignment in a multi-tier data processing system network|
|US7461148 *||Nov 10, 2003||Dec 2, 2008||Swsoft Holdings, Ltd.||Virtual private server with isolation of system components|
|US7509369||Nov 18, 2002||Mar 24, 2009||Swsoft Holdings, Ltd.||Balancing shared servers in virtual environments|
|US7512706||Dec 16, 2004||Mar 31, 2009||International Business Machines Corporation||Method, computer program product, and data processing system for data queuing prioritization in a multi-tiered network|
|US7533255 *||Jul 11, 2003||May 12, 2009||Cisco Technology, Inc.||Method and apparatus for restricting address resolution protocol table updates|
|US7546631 *||Apr 30, 2004||Jun 9, 2009||Sun Microsystems, Inc.||Embedded management system for a physical device having virtual elements|
|US7613123 *||Nov 3, 2009||Lg Electronics Inc.||Apparatus and method for establishing network|
|US7669235||Feb 23, 2010||Microsoft Corporation||Secure domain join for computing devices|
|US7684964||Sep 8, 2005||Mar 23, 2010||Microsoft Corporation||Model and system state synchronization|
|US7689676||Mar 30, 2010||Microsoft Corporation||Model-based policy application|
|US7698400||Apr 13, 2010||Swsoft Holdings, Ltd.||Dedication of administrative servers to management of server functions in a multi-server environment|
|US7711121||Nov 2, 2004||May 4, 2010||Microsoft Corporation||System and method for distributed management of shared computers|
|US7739380||Nov 12, 2004||Jun 15, 2010||Microsoft Corporation||System and method for distributed management of shared computers|
|US7739401||Feb 4, 2008||Jun 15, 2010||Pawan Goyal||Restricting communication of selected processes to a set of specific network addresses|
|US7756140 *||Nov 21, 2006||Jul 13, 2010||Fujitsu Limited||Relay device, path control method, and path control program|
|US7778422||Feb 27, 2004||Aug 17, 2010||Microsoft Corporation||Security associations for devices|
|US7779459||Oct 9, 2007||Aug 17, 2010||Juniper Networks, Inc.||Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device|
|US7792931||Sep 7, 2010||Microsoft Corporation||Model-based system provisioning|
|US7797147||Sep 14, 2010||Microsoft Corporation||Model-based system monitoring|
|US7802144||Sep 21, 2010||Microsoft Corporation||Model-based system monitoring|
|US7886041||Mar 1, 2004||Feb 8, 2011||Microsoft Corporation||Design time validation of systems|
|US7890543||Oct 24, 2003||Feb 15, 2011||Microsoft Corporation||Architecture for distributed computing system and automated design, deployment, and management of distributed applications|
|US7890951||Feb 15, 2011||Microsoft Corporation||Model-based provisioning of test environments|
|US7941309||Nov 2, 2005||May 10, 2011||Microsoft Corporation||Modeling IT operations/policies|
|US7941510||May 10, 2011||Parallels Holdings, Ltd.||Management of virtual and physical servers using central console|
|US8051237 *||Mar 5, 2007||Nov 1, 2011||Stmicroelectronics Limited||Multiple purpose integrated circuit|
|US8072978 *||Oct 27, 2005||Dec 6, 2011||Alcatel Lucent||Method for facilitating application server functionality and access node comprising same|
|US8122106||Oct 24, 2003||Feb 21, 2012||Microsoft Corporation||Integrating design, deployment, and management phases for systems|
|US8291114||Oct 16, 2012||Juniper Networks, Inc.||Routing a packet by a device|
|US8489728||Apr 15, 2005||Jul 16, 2013||Microsoft Corporation||Model-based system monitoring|
|US8489764 *||May 3, 2010||Jul 16, 2013||Digital Asset Enterprises, L.L.C.||Restricting communication of selected processes to a set of specific network addresses|
|US8549513||Jun 29, 2005||Oct 1, 2013||Microsoft Corporation||Model-based virtual system provisioning|
|US8689316||Sep 14, 2012||Apr 1, 2014||Juniper Networks, Inc.||Routing a packet by a device|
|US8694637||Nov 17, 2008||Apr 8, 2014||Parallels IP Holdings GmbH||Virtual private server with CPU time scheduler and isolation of system components|
|US9317270||Sep 30, 2013||Apr 19, 2016||Microsoft Technology Licensing, Llc||Model-based virtual system provisioning|
|US20020073337 *||Aug 30, 2001||Jun 13, 2002||Anthony Ioele||Method and system for internet hosting and security|
|US20020078199 *||Dec 18, 2000||Jun 20, 2002||Tahan Thomas E.||Community separation control in a closed multi-community node|
|US20030043853 *||Aug 15, 2001||Mar 6, 2003||Ronald P. Doyle||Methods, systems and computer program products for detecting a spoofed source address in IP datagrams|
|US20030065944 *||Sep 28, 2001||Apr 3, 2003||Mao Yu Ming||Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device|
|US20040177273 *||Mar 5, 2003||Sep 9, 2004||Junaid Ghaffar||Method and system for secure network service|
|US20040187030 *||May 30, 2002||Sep 23, 2004||Jonathan Edney||Security in area networks|
|US20050010687 *||Jun 26, 2003||Jan 13, 2005||Silicon Graphics, Inc.||Multiprocessor network multicasting and gathering|
|US20050021696 *||May 11, 2004||Jan 27, 2005||Hunt Galen C.||System and method providing automatic policy enforcement in a multi-computer service application|
|US20050021697 *||May 12, 2004||Jan 27, 2005||Hunt Galen C.||System and method providing automatic policy enforcement in a multi-computer service application|
|US20050097058 *||Nov 12, 2004||May 5, 2005||Microsoft Corporation||System and method for distributed management of shared computers|
|US20050097147 *||Nov 1, 2004||May 5, 2005||Microsoft Corporation||System and method for distributed management of shared computers|
|US20050102388 *||Dec 8, 2004||May 12, 2005||Microsoft Corporation||System and method for restricting data transfers and managing software components of distributed computers|
|US20050102538 *||Dec 9, 2004||May 12, 2005||Microsoft Corporation||System and method for designing a logical model of a distributed computer system and deploying physical resources according to the logical model|
|US20050108381 *||Nov 12, 2004||May 19, 2005||Microsoft Corporation||System and method for distributed management of shared computers|
|US20050192971 *||Apr 22, 2005||Sep 1, 2005||Microsoft Corporation||System and method for restricting data transfers and managing software components of distributed computers|
|US20060069758 *||Jun 1, 2005||Mar 30, 2006||Microsoft Corporation||Providing automatic policy enforcement in a multi-computer service application|
|US20060133418 *||Dec 16, 2004||Jun 22, 2006||International Business Machines Corporation||System and method for connection capacity reassignment in a multi-tier data processing system network|
|US20060136574 *||Dec 16, 2004||Jun 22, 2006||International Business Machines Corporation||System and method for request priority transfer across nodes in a multi-tier data processing system network|
|US20060168217 *||Dec 16, 2004||Jul 27, 2006||International Business Machines Corporation||Method, computer program product, and data processing system for data queuing prioritization in a multi-tiered network|
|US20060203827 *||Oct 27, 2005||Sep 14, 2006||Luc Absillis||Method for facilitating application server functionality and access node comprising same|
|US20060259609 *||Jul 17, 2006||Nov 16, 2006||Microsoft Corporation||System and Method for Distributed Management of Shared Computers|
|US20060268862 *||Oct 19, 2005||Nov 30, 2006||Lg Electronics Inc.||Apparatus and method for establishing network|
|US20070064689 *||Sep 16, 2004||Mar 22, 2007||Shin Yong M||Method of controlling communication between devices in a network and apparatus for the same|
|US20070262653 *||Mar 5, 2007||Nov 15, 2007||Stmicroelectronics Limited||Multiple purpose integrated circuit|
|US20080008192 *||Nov 21, 2006||Jan 10, 2008||Fujitsu Limited||Relay device, path control method, and path control program|
|US20080034414 *||Oct 9, 2007||Feb 7, 2008||Juniper Networks, Inc.||Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device|
|US20080162730 *||Feb 4, 2008||Jul 3, 2008||Digital Asset Enterprises, L.L.C.||Restricting communication of selected processes to a set of specific network addresses|
|US20090049193 *||Feb 4, 2008||Feb 19, 2009||Digital Asset Enterprises, L.L.C.||Restricting communication of selected processes to a set of specific network addresses|
|US20090183239 *||Jan 23, 2009||Jul 16, 2009||Sun Microsystems, Inc.||Embedded management system for a physical device having virtual elements|
|US20100281533 *||Nov 4, 2010||Juniper Networks, Inc.||Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device|
|US20110238832 *||May 3, 2010||Sep 29, 2011||Pawan Goyal||Restricting communication of selected processes to a set of specific network addresses|
|US20140344870 *||Aug 4, 2014||Nov 20, 2014||Sony Pictures Entertainment Inc.||Media network environment|
|USRE42726||Jan 9, 2008||Sep 20, 2011||Digital Asset Enterprises, L.L.C.||Dynamically modifying the resources of a virtual server|
|USRE43051||Dec 27, 2011||Digital Asset Enterprises, L.L.C.||Enabling a service provider to provide intranet services|
|USRE44210||May 15, 2009||May 7, 2013||Digital Asset Enterprises, L.L.C.||Virtualizing super-user privileges for multiple virtual processes|
|USRE44686||Sep 19, 2011||Dec 31, 2013||Digital Asset Enterprises, L.L.C.||Dynamically modifying the resources of a virtual server|
|USRE44723||Jun 14, 2007||Jan 21, 2014||Digital Asset Enterprises, L.L.C.||Regulating file access rates according to file type|
|U.S. Classification||709/238, 709/250, 709/230|
|International Classification||H04L29/12, H04L29/06|
|Cooperative Classification||H04L61/10, H04L63/101, H04L29/12018, H04L29/12009|
|European Classification||H04L63/10A, H04L61/10, H04L29/12A, H04L29/12A1|
|Jun 12, 2000||AS||Assignment|
Owner name: ENSIM CORPORATION, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHARMA, ROSEN;KESHAV, SRINIVASAN;REEL/FRAME:010897/0504
Effective date: 20000606
|Jul 19, 2007||AS||Assignment|
Owner name: DIGITAL ASSET ENTERPRISES, L.L.C., DELAWARE
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ENSIM CORPORATION;REEL/FRAME:019580/0145
Effective date: 20070607
|Sep 14, 2007||FPAY||Fee payment|
Year of fee payment: 4
|Sep 23, 2011||FPAY||Fee payment|
Year of fee payment: 8
|Nov 23, 2015||AS||Assignment|
Owner name: CUFER ASSET LTD. L.L.C., DELAWARE
Free format text: MERGER;ASSIGNOR:DIGITAL ASSET ENTERPRISES, L.L.C.;REEL/FRAME:037118/0001
Effective date: 20150812
|Nov 24, 2015||FPAY||Fee payment|
Year of fee payment: 12